Gmail's Security Hole Could Lead to Mass Harvesting of Accounts

May 20, 2012

Gmail's Security Hole Could Lead to Mass Harvesting of Accounts

Hackers could automate a social engineering trick that has already been proven to work.

Google’s account recovery procedure can make it unclear to users that they’re giving hackers full access to their account

A technique used by marketers to trick people into signing up for “free” merchandise could easily be re-deployed as an engine for harvesting untold numbers of Google account passwords. Fixing the issue won’t be trivial for Google, because the exploit is fundamental to how Google allows users to recover access to their accounts when they lose or forget their passwords.

While others have reported on the use of this exploit by individual hackers, I believe what you’re reading now is the first account of how it could be transformed into a mass phishing scam that could dragoon even relatively sophisticated users.

The Hack

Recently, my wife and I both received, within an hour of one another, a text like this:

Our phone numbers are almost identical, so the fact that we both got this text in a short period of time suggests that someone is auto-SMSing it to every number in a certain range, one after another. Which would make it classic text spam, annoying but not dangerous on its own.

The URL contained in the text goes to this website, http://bestbuy.bestgiftcardsforu.com/ which asks for your email address. The site appears to be affiliated with (or at least is linking to and borrows text from) MyRewardsClub.com. I don’t think these people are hackers, just marketers.

But here’s how hackers could turn this marketing scheme into a password-harvesting scheme: After users enter their email address, if it’s a gmail address, hackers could automatically request that Google send an account verification code to the cell phone of the owner of that Gmail address. This is what Google does when you tell it that you forgot your password – one of the three options for recovering it is to have a verification code sent to the cell phone number associated with your account.

In order for the user to claim their “reward” (in this case, a fake $1000 gift card) the site could then direct them to enter the verification code that Google sent to the user’s phone. As soon as the site has both a user’s Gmail address and that verification code, it’s game over – hackers can use the code to log into that account and immediately change the password, giving them access and locking the user out of their own account.

Is it really so easy to hack a Gmail account? See for yourself: Go to the Gmail login screen and click on the frequently ignored link underneath the sign-in menu, “Can’t access your account?” Three options appear; choose “I forgot my password.” Type in a Gmail address—any active Gmail address—and if there’s a phone number associated with the account, you’re given three more options, one of which is “Get a verification code on my phone.” You don’t even need to know the phone number. Just hit “continue” and an unrelated six-digit code will appear in a text to the account owner’s phone. Type in that verification code—a number easily obtained by a masquerading e-impostor—and you’re in. The first thing you’re prompted to do is immediately change your password, thereby blocking out the original owner.

In other words, if a hacker knows only your Gmail address and can figure out how to access your phone, he’s already most of the way into your shit.

In the case of the hacker collecting images for Is Anyone Up, it appears that he or she chatted up targets via Facebook.

An Increasingly Common Phishing Scheme

This attack has been used by others, and may be widespread. Lokesh Singh, a “professional hacker,” describes on the site HackingLoops how one of his clients fell victim to this same hack, only the attacker used Gchat to convince the victim to hand over the verification code that Google had texted to him.

What Google and its users are facing, in other words, is a phishing scheme that appears to work even on relatively sophisticated users, or at least the kind who are smart enough not to click on random links in spam emails. But what I described at the beginning of this piece potentially takes this attack to a whole new level, beyond labor-intensive hacks of individual accounts and into the realm of automated, large-scale password harvesting.

It’s great that Google has a way for users to recover access to their Gmail accounts that relies on a secondary device that hackers almost never have access to – a user’s cell phone. The weak link, as always, is the human who already has access to all their supposedly secure touch points – the user himself. Perhaps this attack can be stymied simply by raising awareness of the fact that no one should ever, ever hand over their google verification code.